Skip to content

Commit

Permalink
Merge pull request #14 from 0xbadjuju/CS5
Browse files Browse the repository at this point in the history 
Cs5
  • Loading branch information
Alexander authored Mar 19, 2019
2 parents 866a04c + 9440fcc commit 9f6ccaa
Show file tree
Hide file tree
Showing 7 changed files with 74 additions and 29 deletions.
7 changes: 5 additions & 2 deletions Tokenvator/Enumeration.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,9 @@ public static void EnumerateInteractiveUserSessions()
{
IntPtr j = new IntPtr(ppSessionInfo.ToInt64() + (i * Marshal.SizeOf(typeof(wtsapi32._WTS_SESSION_INFO))));
wtsapi32._WTS_SESSION_INFO wtsSessionInfo = (wtsapi32._WTS_SESSION_INFO)Marshal.PtrToStructure(j, typeof(wtsapi32._WTS_SESSION_INFO));
if (!wtsapi32.WTSQuerySessionInformationW(IntPtr.Zero, wtsSessionInfo.SessionId, wtsapi32._WTS_INFO_CLASS.WTSUserName, out IntPtr ppBuffer, out IntPtr pBytesReturned))
IntPtr ppBuffer, pBytesReturned;
ppBuffer = pBytesReturned = IntPtr.Zero;
if (!wtsapi32.WTSQuerySessionInformationW(IntPtr.Zero, wtsSessionInfo.SessionId, wtsapi32._WTS_INFO_CLASS.WTSUserName, out ppBuffer, out pBytesReturned))
{
Console.WriteLine("[-] {0}", Marshal.GetLastWin32Error());
continue;
Expand Down Expand Up @@ -96,7 +98,8 @@ public static Boolean ConvertSidToName(IntPtr sid, out String userName)
UInt32 cchName = (UInt32)lpName.Capacity;
StringBuilder lpReferencedDomainName = new StringBuilder();
UInt32 cchReferencedDomainName = (UInt32)lpReferencedDomainName.Capacity;
advapi32.LookupAccountSid(String.Empty, sid, lpName, ref cchName, lpReferencedDomainName, ref cchReferencedDomainName, out Winnt._SID_NAME_USE sidNameUse);
Winnt._SID_NAME_USE sidNameUse = new Winnt._SID_NAME_USE();
advapi32.LookupAccountSid(String.Empty, sid, lpName, ref cchName, lpReferencedDomainName, ref cchReferencedDomainName, out sidNameUse);

lpName.EnsureCapacity((Int32)cchName + 1);
lpReferencedDomainName.EnsureCapacity((Int32)cchReferencedDomainName + 1);
Expand Down
8 changes: 5 additions & 3 deletions Tokenvator/Filters.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ namespace Tokenvator
{
class Filters : IDisposable
{
protected IntPtr hFilters;
protected IntPtr hFilters = IntPtr.Zero;
private FltUserStructures._FILTER_AGGREGATE_BASIC_INFORMATION info;

internal Filters()
Expand Down Expand Up @@ -45,7 +45,8 @@ internal virtual void Next()
UInt32 result = 0;
do
{
if (2147942522 != fltlib.FilterFindNext(hFilters, FltUserStructures._FILTER_INFORMATION_CLASS.FilterAggregateBasicInformation, IntPtr.Zero, 0, out UInt32 lpBytesReturned))
UInt32 lpBytesReturned = 0;
if (2147942522 != fltlib.FilterFindNext(hFilters, FltUserStructures._FILTER_INFORMATION_CLASS.FilterAggregateBasicInformation, IntPtr.Zero, 0, out lpBytesReturned))
{
break;
}
Expand All @@ -69,7 +70,8 @@ private static void Print(IntPtr baseAddress)
String altitude = Marshal.PtrToStringUni(lpAltitude, info.FilterAltitudeLength / 2);

String alarm = "";
if (UInt32.TryParse(altitude, out UInt32 dwAltitude))
UInt32 dwAltitude = 0;
if (UInt32.TryParse(altitude, out dwAltitude))
{
if (320000 <= dwAltitude && 329998 >= dwAltitude)
{
Expand Down
28 changes: 21 additions & 7 deletions Tokenvator/Program.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -133,15 +133,23 @@ internal void Run()
String input;
if (activateTabs)
{
input = console.ReadLine();
try
{
input = console.ReadLine();
}
catch (InvalidOperationException)
{
input = Console.ReadLine();
}
}
else
{
input = Console.ReadLine();
}

IntPtr tempToken = IntPtr.Zero;
kernel32.OpenProcessToken(kernel32.GetCurrentProcess(), Constants.TOKEN_ALL_ACCESS, out IntPtr hToken);
IntPtr hToken, tempToken;
hToken = tempToken = IntPtr.Zero;
kernel32.OpenProcessToken(kernel32.GetCurrentProcess(), Constants.TOKEN_ALL_ACCESS, out hToken);
switch (NextItem(ref input))
{
case "info":
Expand All @@ -156,7 +164,8 @@ internal void Run()
Console.WriteLine("");
CheckPrivileges.GetTokenGroups(hToken);
Console.WriteLine("");
CheckPrivileges.GetElevationType(hToken, out Winnt._TOKEN_TYPE tokenType);
Winnt._TOKEN_TYPE tokenType = new Winnt._TOKEN_TYPE();
CheckPrivileges.GetElevationType(hToken, out tokenType);
CheckPrivileges.PrintElevation(hToken);
break;
case "list_privileges":
Expand Down Expand Up @@ -438,7 +447,8 @@ public static String NextItem(ref String input)
////////////////////////////////////////////////////////////////////////////////
public static void GetSystem(String input, IntPtr hToken)
{
CheckPrivileges.CheckTokenPrivilege(hToken, "SeDebugPrivilege", out Boolean exists, out Boolean enabled);
Boolean exists, enabled;
CheckPrivileges.CheckTokenPrivilege(hToken, "SeDebugPrivilege", out exists, out enabled);
String item = NextItem(ref input);

if (exists)
Expand Down Expand Up @@ -528,7 +538,9 @@ public static void BypassUAC(String input)
////////////////////////////////////////////////////////////////////////////////
public static void StealToken(String input)
{
if (GetProcessID(input, out Int32 processID, out String command))
Int32 processID = 0;
String command = String.Empty;
if (GetProcessID(input, out processID, out command))
{
if (String.IsNullOrEmpty(command))
{
Expand All @@ -552,7 +564,9 @@ public static void StealToken(String input)
////////////////////////////////////////////////////////////////////////////////
public static void StealPipeToken(String input)
{
if (GetPipeName(input, out String pipeName, out String command))
String pipeName, command;
pipeName = command = String.Empty;
if (GetPipeName(input, out pipeName, out command))
{
if (pipeName.ToLower() == command.ToLower())
{
Expand Down
30 changes: 21 additions & 9 deletions Tokenvator/Resources/CheckPrivileges.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -166,7 +166,8 @@ public static Boolean GetElevationType(IntPtr hToken, out Winnt._TOKEN_TYPE toke
////////////////////////////////////////////////////////////////////////////////
public static void GetTokenOwner(IntPtr hToken)
{
advapi32.GetTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenOwner, IntPtr.Zero, 0, out UInt32 returnLength);
UInt32 returnLength = 0;
advapi32.GetTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenOwner, IntPtr.Zero, 0, out returnLength);
IntPtr lpTokenInformation = Marshal.AllocHGlobal((Int32)returnLength);
Ntifs._TOKEN_OWNER tokenOwner;
try
Expand Down Expand Up @@ -194,7 +195,9 @@ public static void GetTokenOwner(IntPtr hToken)
}

Console.WriteLine("[+] Owner: ");
_ReadSidAndName(tokenOwner.Owner, out String sid, out String account);
String sid, account;
sid = account = String.Empty;
_ReadSidAndName(tokenOwner.Owner, out sid, out account);
Console.WriteLine("{0,-50} {1}", sid, account);
return;
}
Expand All @@ -204,7 +207,8 @@ public static void GetTokenOwner(IntPtr hToken)
////////////////////////////////////////////////////////////////////////////////
public static void GetTokenUser(IntPtr hToken)
{
advapi32.GetTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenUser, IntPtr.Zero, 0, out UInt32 returnLength);
UInt32 returnLength = 0;
advapi32.GetTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenUser, IntPtr.Zero, 0, out returnLength);
IntPtr lpTokenInformation = Marshal.AllocHGlobal((Int32)returnLength);
Ntifs._TOKEN_USER tokenUser;
try
Expand Down Expand Up @@ -232,7 +236,9 @@ public static void GetTokenUser(IntPtr hToken)
}

Console.WriteLine("[+] User: ");
_ReadSidAndName(tokenUser.User[0].Sid, out String sid, out String account);
String sid, account;
sid = account = String.Empty;
_ReadSidAndName(tokenUser.User[0].Sid, out sid, out account);
Console.WriteLine("{0,-50} {1}", sid, account);
return;
}
Expand All @@ -242,7 +248,8 @@ public static void GetTokenUser(IntPtr hToken)
////////////////////////////////////////////////////////////////////////////////
public static Boolean GetTokenGroups(IntPtr hToken)
{
advapi32.GetTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenGroups, IntPtr.Zero, 0, out UInt32 returnLength);
UInt32 returnLength = 0;
advapi32.GetTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenGroups, IntPtr.Zero, 0, out returnLength);
IntPtr lpTokenInformation = Marshal.AllocHGlobal((Int32)returnLength);
Ntifs._TOKEN_GROUPS tokenGroups;
try
Expand All @@ -268,7 +275,9 @@ public static Boolean GetTokenGroups(IntPtr hToken)
Console.WriteLine("[+] Enumerated {0} Groups: ", tokenGroups.GroupCount);
for (Int32 i = 0; i < tokenGroups.GroupCount; i++)
{
_ReadSidAndName(tokenGroups.Groups[i].Sid, out String sid, out String account);
String sid, account;
sid = account = String.Empty;
_ReadSidAndName(tokenGroups.Groups[i].Sid, out sid, out account);
Console.WriteLine("{0,-50} {1}", sid, account);
}
return true;
Expand Down Expand Up @@ -314,7 +323,8 @@ public static Boolean CheckTokenPrivilege(IntPtr hToken, String privilegeName, o
exists = false;
enabled = false;
////////////////////////////////////////////////////////////////////////////////
advapi32.GetTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges, IntPtr.Zero, 0, out UInt32 TokenInfLength);
UInt32 TokenInfLength = 0;
advapi32.GetTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges, IntPtr.Zero, 0, out TokenInfLength);
if (TokenInfLength <= 0 || TokenInfLength > Int32.MaxValue)
{
Tokens.GetWin32Error("GetTokenInformation - 1 " + TokenInfLength);
Expand Down Expand Up @@ -367,7 +377,8 @@ public static Boolean CheckTokenPrivilege(IntPtr hToken, String privilegeName, o
Privilege = new Winnt._LUID_AND_ATTRIBUTES[] { tokenPrivileges.Privileges[i] }
};

if (!advapi32.PrivilegeCheck(hToken, ref privilegeSet, out Int32 pfResult))
Int32 pfResult = 0;
if (!advapi32.PrivilegeCheck(hToken, ref privilegeSet, out pfResult))
{
Tokens.GetWin32Error("PrivilegeCheck");
continue;
Expand Down Expand Up @@ -397,7 +408,8 @@ private static Boolean _QueryTokenInformation(IntPtr hToken, Winnt._TOKEN_INFORM
IntPtr lpTokenInformation = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(UInt32)));
try
{
if (!advapi32.GetTokenInformation(hToken, informationClass, lpTokenInformation, tokenInformationLength, out UInt32 returnLength))
UInt32 returnLength = 0;
if (!advapi32.GetTokenInformation(hToken, informationClass, lpTokenInformation, tokenInformationLength, out returnLength))
{
Tokens.GetWin32Error("GetTokenInformation");
return false;
Expand Down
3 changes: 2 additions & 1 deletion Tokenvator/RestrictedToken.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,8 @@ public Boolean BypassUAC(Int32 processId, String command)
{
if (ImpersonateUser())
{
FindExe(ref command, out String arguments);
String arguments = String.Empty;
FindExe(ref command, out arguments);

if (CreateProcess.CreateProcessWithLogonW(phNewToken, command, arguments))
{
Expand Down
21 changes: 14 additions & 7 deletions Tokenvator/Tokens.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -112,7 +112,8 @@ out phNewToken
{
createProcess = CreateProcess.CreateProcessWithTokenW;
}
FindExe(ref newProcess, out String arguments);
String arguments = String.Empty;
FindExe(ref newProcess, out arguments);

if (!createProcess(phNewToken, newProcess, arguments))
{
Expand Down Expand Up @@ -345,7 +346,8 @@ public static void SetTokenPrivilege(ref IntPtr hToken, String privilege, Winnt.
};
Winnt._TOKEN_PRIVILEGES previousState = new Winnt._TOKEN_PRIVILEGES();
Console.WriteLine(" [*] AdjustTokenPrivilege");
if (!advapi32.AdjustTokenPrivileges(hToken, false, ref newState, (UInt32)Marshal.SizeOf(newState), ref previousState, out UInt32 returnLength))
UInt32 returnLength = 0;
if (!advapi32.AdjustTokenPrivileges(hToken, false, ref newState, (UInt32)Marshal.SizeOf(newState), ref previousState, out returnLength))
{
GetWin32Error("AdjustTokenPrivileges");
return;
Expand All @@ -366,7 +368,8 @@ public static void NukeTokenPrivilege(ref IntPtr hToken)
Winnt._TOKEN_PRIVILEGES newState = new Winnt._TOKEN_PRIVILEGES();
Winnt._TOKEN_PRIVILEGES previousState = new Winnt._TOKEN_PRIVILEGES();
Console.WriteLine(" [*] AdjustTokenPrivilege");
if (!advapi32.AdjustTokenPrivileges(hToken, true, ref newState, (UInt32)Marshal.SizeOf(typeof(Winnt._TOKEN_PRIVILEGES)), ref previousState, out UInt32 returnLength))
UInt32 returnLength = 0;
if (!advapi32.AdjustTokenPrivileges(hToken, true, ref newState, (UInt32)Marshal.SizeOf(typeof(Winnt._TOKEN_PRIVILEGES)), ref previousState, out returnLength))
{
GetWin32Error("AdjustTokenPrivileges");
}
Expand All @@ -380,7 +383,8 @@ public static void DisableAndRemoveAllTokenPrivileges(ref IntPtr hToken)
{
////////////////////////////////////////////////////////////////////////////////
Console.WriteLine("[*] Enumerating Token Privileges");
advapi32.GetTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges, IntPtr.Zero, 0, out UInt32 TokenInfLength);
UInt32 TokenInfLength = 0;
advapi32.GetTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges, IntPtr.Zero, 0, out TokenInfLength);

if (TokenInfLength < 0 || TokenInfLength > Int32.MaxValue)
{
Expand Down Expand Up @@ -434,7 +438,8 @@ public static void DisableAndRemoveAllTokenPrivileges(ref IntPtr hToken)
Privilege = new Winnt._LUID_AND_ATTRIBUTES[] { tokenPrivileges.Privileges[i] }
};

if (!advapi32.PrivilegeCheck(hToken, ref privilegeSet, out Int32 pfResult))
Int32 pfResult = 0;
if (!advapi32.PrivilegeCheck(hToken, ref privilegeSet, out pfResult))
{
GetWin32Error("PrivilegeCheck");
Marshal.FreeHGlobal(lpLuid);
Expand All @@ -457,7 +462,8 @@ public static void EnumerateTokenPrivileges(IntPtr hToken)
{
////////////////////////////////////////////////////////////////////////////////
Console.WriteLine("[*] Enumerating Token Privileges");
advapi32.GetTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges, IntPtr.Zero, 0, out UInt32 TokenInfLength);
UInt32 TokenInfLength;
advapi32.GetTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges, IntPtr.Zero, 0, out TokenInfLength);

if (TokenInfLength < 0 || TokenInfLength > Int32.MaxValue)
{
Expand Down Expand Up @@ -511,7 +517,8 @@ public static void EnumerateTokenPrivileges(IntPtr hToken)
Privilege = new Winnt._LUID_AND_ATTRIBUTES[] { tokenPrivileges.Privileges[i] }
};

if (!advapi32.PrivilegeCheck(hToken, ref privilegeSet, out Int32 pfResult))
Int32 pfResult = 0;
if (!advapi32.PrivilegeCheck(hToken, ref privilegeSet, out pfResult))
{
GetWin32Error("PrivilegeCheck");
Marshal.FreeHGlobal(lpLuid);
Expand Down
6 changes: 6 additions & 0 deletions Tokenvator/Tokenvator.csproj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
<Prefer32Bit>false</Prefer32Bit>
<LangVersion>5</LangVersion>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
<DebugType>pdbonly</DebugType>
Expand All @@ -56,6 +57,7 @@
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
<Prefer32Bit>false</Prefer32Bit>
<LangVersion>5</LangVersion>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Debug-Net35|AnyCPU'">
<OutputPath>bin\Debug-Net35\</OutputPath>
Expand All @@ -66,6 +68,7 @@
<PlatformTarget>AnyCPU</PlatformTarget>
<ErrorReport>prompt</ErrorReport>
<CodeAnalysisRuleSet>MinimumRecommendedRules.ruleset</CodeAnalysisRuleSet>
<LangVersion>5</LangVersion>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Release-Net35|AnyCPU'">
<OutputPath>bin\Release-Net35\</OutputPath>
Expand All @@ -76,6 +79,7 @@
<PlatformTarget>AnyCPU</PlatformTarget>
<ErrorReport>prompt</ErrorReport>
<CodeAnalysisRuleSet>MinimumRecommendedRules.ruleset</CodeAnalysisRuleSet>
<LangVersion>5</LangVersion>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Debug-Net45|AnyCPU'">
<OutputPath>bin\Debug-Net45\</OutputPath>
Expand All @@ -86,6 +90,7 @@
<PlatformTarget>AnyCPU</PlatformTarget>
<ErrorReport>prompt</ErrorReport>
<CodeAnalysisRuleSet>MinimumRecommendedRules.ruleset</CodeAnalysisRuleSet>
<LangVersion>5</LangVersion>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Release-Net45|AnyCPU'">
<OutputPath>bin\Release-Net45\</OutputPath>
Expand All @@ -96,6 +101,7 @@
<PlatformTarget>AnyCPU</PlatformTarget>
<ErrorReport>prompt</ErrorReport>
<CodeAnalysisRuleSet>MinimumRecommendedRules.ruleset</CodeAnalysisRuleSet>
<LangVersion>5</LangVersion>
</PropertyGroup>
<ItemGroup>
<Reference Include="System" />
Expand Down

0 comments on commit 9f6ccaa

Please sign in to comment.